Decrypting SHA1 Hash

A

Adam Carpenter

Hello,

I have my users passwords stored to my DB hashs created using
SHA1CryptoServiceProvider, here is the function:

Public Shared Function EncryptPassword(ByVal password As String) As Byte()
Dim encoding As New UnicodeEncoding()
Dim hashBytes As Byte() = encoding.GetBytes(password)
' Compute the SHA-1 hash
Dim sha1 As New SHA1CryptoServiceProvider()
Dim cryptPassword = sha1.ComputeHash(hashBytes)
Return cryptPassword
End Function

Question is, how can I decrypt the password so my 'forgot password' logic
can mail it to them? I can't seem to find a method anywhere!?!

Many thanks in advance.

Adam
 
H

Herfried K. Wagner [MVP]

Adam Carpenter said:
I have my users passwords stored to my DB hashs created using
SHA1CryptoServiceProvider, here is the function:

Public Shared Function EncryptPassword(ByVal password As String) As Byte()
Dim encoding As New UnicodeEncoding()
Dim hashBytes As Byte() = encoding.GetBytes(password)
' Compute the SHA-1 hash
Dim sha1 As New SHA1CryptoServiceProvider()
Dim cryptPassword = sha1.ComputeHash(hashBytes)
Return cryptPassword
End Function

Question is, how can I decrypt the password so my 'forgot password' logic
can mail it to them? I can't seem to find a method anywhere!?!
Click to expand...

You cannot get the original data from the hash code.
 
T

Tom Spink

Hi Adam, a hash cannot be decrypted, that is the point of them.

The only way to determine what the hash was originally is to compare it with
the hashed version of the original data, hashes are unique.

You could brute force your hash, but that takes a lot of processing time,
about a few billion years.

--
HTH,
-- Tom Spink, Über Geek

Please respond to the newsgroup,
so all can benefit

" System.Reflection Master "

==== Converting to 2002 ====
Remove inline declarations


: Hello,
:
: I have my users passwords stored to my DB hashs created using
: SHA1CryptoServiceProvider, here is the function:
:
: Public Shared Function EncryptPassword(ByVal password As String) As Byte()
: Dim encoding As New UnicodeEncoding()
: Dim hashBytes As Byte() = encoding.GetBytes(password)
: ' Compute the SHA-1 hash
: Dim sha1 As New SHA1CryptoServiceProvider()
: Dim cryptPassword = sha1.ComputeHash(hashBytes)
: Return cryptPassword
: End Function
:
: Question is, how can I decrypt the password so my 'forgot password' logic
: can mail it to them? I can't seem to find a method anywhere!?!
:
: Many thanks in advance.
:
: Adam
:
:
 
H

Herfried K. Wagner [MVP]

Tom Spink said:
The only way to determine what the hash was originally is to compare it with
the hashed version of the original data, hashes are unique.

You could brute force your hash, but that takes a lot of processing time,
about a few billion years.
Click to expand...

<http://www.distributed.net/>
 
T

Tom Spink

Hi Herfried, (you're for it now <grins>)

Hardly realistic for 'Forgotten Password' logic ;-)

If Adam's still watching the thread, then perhaps he should provide 'Reset
Password' logic instead.

--
HTH,
-- Tom Spink, Über Geek

Please respond to the newsgroup,
so all can benefit

" System.Reflection Master "

==== Converting to 2002 ====
Remove inline declarations


: "Tom Spink" <[email protected]> scripsit:
: > The only way to determine what the hash was originally is to compare it
with
: > the hashed version of the original data, hashes are unique.
: >
: > You could brute force your hash, but that takes a lot of processing
time,
: > about a few billion years.
:
: <http://www.distributed.net/>
:
: --
: Herfried K. Wagner
: MVP · VB Classic, VB.NET
: <http://www.mvps.org/dotnet>
 
J

Jerry Ham

Have your "forgot password" logic create a NEW password for them and mail
them that one.

Otherwise you are trying to solve something that can't be easily solved.

Jerry
 
M

Michael Giagnocavo [MVP]

Creating a new password is the way to go. This also adds some security
because lets say that an unauthorized user can obtain via the "forgot
password". Now, the unauthorized user can use the system, but the REAL user
can too. He doesn't know anything has happened.

Making the password be reset makes any legit users to know of it (since they
no longer can login), and any breach via this method will be discovered
faster.

-mike
MVP
 
A

Adam Carpenter

Hello,

Thank you very much for your comments. Given what has been said I am going
to persue a reset password route in combination with some additional
security questions. I totally agree that the less information I can expose
the better especially given the point that some raised that users would tend
to use the same password accross multiple sites.

Thanks again,

Adam
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Explicit type problem in strict mode (Newbie) 2
user login problems 1
Hash MD5, Sha1 and Length 40
Ideas on creating a unique session id? 4
Trouble using MD5 and SHA1 digests 2
.NET hash/Cryptography newby question 2
String --> SHA1 hash (in hexadecimal) 1
Crypto Question 2

Top